[HN Gopher] Find You: Building a stealth AirTag clone
___________________________________________________________________
Find You: Building a stealth AirTag clone
Author : kerm1t
Score : 141 points
Date : 2022-02-21 16:01 UTC (6 hours ago)
(HTM) web link (positive.security)
(TXT) w3m dump (positive.security)
| Friday_ wrote:
| Why not build your own tracker that doesn't rely on Apple. You
| only have to have GPS, LoRaWAN, MCU, battery, and antenna, That's
| about it.
| giaour wrote:
| Can you get onto a lorawan network without some kind of service
| contract? Seems like it would leave a paper trail for
| investigators to follow, whereas the pirate AirTags described
| in the article are anonymous commodity hardware using the
| victim's Apple devices for connectivity.
| Friday_ wrote:
| I don't know. Maybe you get signal from tracker ( everyone
| likewise ) and if somebody ask you if you are the owner of
| it, you just play dumb.
| mckirk wrote:
| You also need a way to communicate back the tracking results,
| which presumably implies a SIM card and thus more opportunity
| to get detected (and linked back to you). But yes, in theory
| you can (and always could) do that.
|
| The barrier to entry would be a lot higher though, as all
| that's needed here is 'microcontroller with Bluetooth'. And
| that really makes it dangerously easy.
| cure wrote:
| > You also need a way to communicate back the tracking
| results, which presumably implies a SIM card and thus more
| opportunity to get detected (and linked back to you). But
| yes, in theory you can (and always could) do that.
|
| I think gp included the lorawan for that purpose. No SIM
| required.
| mckirk wrote:
| Ah right, I had overlooked that, never having seen the word
| "lorawan" before.
|
| I honestly have no idea how widespread LoRaWAN is, but I
| would be very surprised if it came anywhere close to the
| coverage you can achieve using Apple users carrying your
| uplinks around unwittingly. (Especially if you are
| attempting to track an Apple user.)
| scoopertrooper wrote:
| You'd also need a LoRaWAN network to hook into.
|
| But most importantly, I doubt you could build a LoRaWAN
| tracker as compactly as an AirTag. A beacon would use
| significantly less electricity and therefore require a
| smaller battery.
|
| Below is one of the smallest LoRaWAN modems on the market,
| which by itself is marginally bigger than an AirTag. Now
| add batteries, GPS, antennas, and an SoC to drive the whole
| thing.
|
| https://www.murata.com/en-
| eu/news/connectivitymodule/lpwa/20...
| Scoundreller wrote:
| There are some groups building 'armageddon' mesh-based
| hand-held communicators like Meshtastic. Converged
| hardware is already there. The network probably is too in
| more and more metros if you're not within a few km of
| what you're trying to communicate with/track.
|
| https://meshtastic.org
|
| Map: https://canvis.app/meshtastic-map
| Friday_ wrote:
| This looks interesting, but device itself looks like it
| wouldn't survive fall on the floor, let alone armageddon.
| Just joking.
| Scoundreller wrote:
| The case is up to you. I plan on using a plastic food jar
| :)
| cure wrote:
| There's also the helium network
| (https://explorer.helium.com/) which has a surprising
| amount of coverage, especially in urban areas.
| rahimnathwani wrote:
| Because:
|
| - using a cellular modem requires a high capacity battery
|
| - if you hide a tracker well, it probably won't have a good GPS
| reception
|
| Apple's BLE-based network solves both of these problems.
| Friday_ wrote:
| Those are not problems that needed to be solved.
|
| Problem is: 1. Precise location of tracked object, now
|
| This is actually one problem and Apple didn't solve it very
| well, airtag doesn't work in real-time. You only get updates
| when there are people near object that uses iphone.
| quenix wrote:
| > You only get updates when there are people near object
| that uses iphone.
|
| Ok? In practice, this is most of the time. In most
| reasonable use cases (i.e. excluding the Sahara desert or
| some remote mountain).
| LeoPanthera wrote:
| > using a cellular modem requires a high capacity battery
|
| The example third party AirTag clone described on the linked
| page is powered by a full size USB power bank.
| kayson wrote:
| Because it's a proof of concept using an ESP32, not because
| that battery capacity is fundamentally necessary for the
| idea to work.
|
| It could easily be optimized for power and size. Sure, it
| will have to use more power than a vanilla airtag, because
| it's doing (slightly) more, but not enough to make a
| significant difference.
| kelnos wrote:
| You or I could probably do that, but that's well beyond the
| technical capabilities of your average would-be stalker.
| mk_10000000 wrote:
| Link to the repo: https://github.com/positive-security/find-you
| mmastrac wrote:
| Does this mean that Apple is failing to validate the capability
| of things that purport to be AirTags? Or that the BLE protocol is
| just not powerful enough to have Apple signatures on each
| broadcast public key?
|
| If it's the latter, it might mean that the entire AirTag product
| line is dead in the water.
| smithza wrote:
| Apple will probably say something to the effect of, "we didn't
| have to put anti-stalking technology in, and it works well for
| the 99% of use cases." The common stalker will not have the
| technical skills to build their own custom-firmware version of
| a BLE-enabled system. I don't think this revelation will kill
| the product line.
| deanc wrote:
| I didn't fully grep the article, but assuming the src is
| public and hardware is trivially built - I wouldn't put it
| past someone packaging this up and selling it. It doesn't
| need a huge number of people to be bad enough PR for Apple to
| have to do something - much like 99.9999999% of people are
| not using them for stalking but it's all that's talked about
| in the media with these tags.
| mmastrac wrote:
| After reading more about this on the attached repo, I think
| we're going to see some AliExpress clones popping up pretty
| quick. AirTags appear to be pretty minimal tech - much less
| complex than I had thought if you exclude the high-precision
| location finder.
| smithza wrote:
| It is a difficult technical problem for Apple to solve all
| of the corner-cases. The article shows the screenshot of
| seemingly 100 unique FindMy devices around this guy's
| personal residence... there may be some characterization
| work that can help solve that so an iPhone user would get
| the alert message. But Apple will continue to promote it
| and dismiss or downplay these security concerns.
| mox1 wrote:
| The problem is easy to solve, just store copies of all
| public keys of each air tag you send out.
|
| Air Tag messages with unknown public keys just get
| dropped on their server side checks.
| gruez wrote:
| > The problem is easy to solve, just store copies of all
| public keys of each air tag you send out.
|
| that kills the privacy aspect of it, because it also
| means apple knows about the exact whereabouts of each
| tag. airtags are specifically designed/marketed so apple
| can't do that.
| anchpop wrote:
| A core selling point of Airtags is that other people's
| iPhones help you find your AirTag. That's also what makes
| them effective trackers. It's a bit of an unsolvable
| problem.
| mox1 wrote:
| Yes, and Apple 100% has the capacity / ability to filter
| out "fake" AirTags on their back-end. All they need to do
| is setup a manufacturing process that captures the public
| keys.
|
| So the phones will still relay the beacons to Apple, who
| can then do things and just reject messages from these
| fake tags.
|
| (I worked for a Medical Device Company that set all of
| this up within our supply chain).
| mmastrac wrote:
| If they haven't been doing this so far, it seems like it
| will be a tough job to record them after the fact.
| Perhaps they could interrogate each device and require it
| to be re-adopted, then record the data at that point but
| it seems like an arms race they won't win.
| gumby wrote:
| They are just getting started. They could add this to
| their production -- the old ones would quickly become a
| tiny percentage
| gumby wrote:
| > The common stalker will not have the technical skills to
| build their own custom-firmware version of a BLE-enabled
| system.
|
| The state or corporate actor will have those skills.
|
| The common stalker will simply buy them online.
| IshKebab wrote:
| Yeah I don't understand this. Surely airtags have to be
| registered, and when an iPhone sees tag 3957375967 Apple's
| servers look that up and say "oh it's registered to Billy Bob;
| I'll tell them".
|
| But if your fake airtag rotates through 2000 IDs how do you
| register them all?
| xt00 wrote:
| Seems like the end-game for this is to change things around
| like this:
|
| 1. you can't track items outside of some distance from you in
| real-time
|
| 2. items marked as lost would need to be sent to a review
| team inside apple (contractors I imagine) that would then log
| your information, require you to explain what the item is,
| and generally make it very cumbersome to get the actual
| location or history of the location
|
| 3. then very likely a neutral 3rd party would have to go to
| the location to determine if the claim seems to be
| legitimate, or this is a case of somebody stalking somebody
| else or something
|
| 4. likely would require police getting involved somehow
|
| The idea that people can be vigilante's and track down their
| own stolen bike is a great idea, but it basically equates to
| "stalking somebody".. any work-arounds for android users and
| iphone users will either only work in certain circumstances
| (what if you only live 1 mile away from the bars downtown --
| then now the stalker knows where you live and the device was
| with you a super short period of time -- maybe 2-5 mins
| depending upon method of travel)... the only way around this
| is to block people from being able to get the raw information
| -- sure the data might be collected, but giving it directly
| to the customer is both the best and worst thing about this.
| UncleEntity wrote:
| Apple apparently stores every reported location in a database
| and allows people to query whether a certain public key was
| received with or without the key being registered to a
| specific user since they change on a regular basis so one
| can't track a specific device.
| stefan_ wrote:
| The mental model I had is that AirTags are manufactured with a
| private/public key pair burned into them that allows Apple to
| validate the thing you are linking to your account on initial
| setup is really a legit AirTag.
|
| It appears none of that was ever true and you can register just
| anything as an AirTag that speaks the right BLE with no secrets
| required for a world full of iPhones to start tracking them.
|
| So yeah, expect chinese clones to show up within a month, for
| five dollars each and certainly no speaker included.
| a-dub wrote:
| silly question here: modern smartphones rotate their mac
| addresses frequently for privacy, but aren't the bluetooth
| addresses on phones and headphones and all the rest static and
| easily detected?
| air7 wrote:
| It seems to me that this attack leaves a very easy to detect
| signature of several tags that were seen only once by the same
| device. To counter being detected, an attacker would need to fake
| other readings of the same single-use "tags" by other devices.
| This is somewhat similar to the detecting fake spam accounts in
| social networks. It's a cat-and-mouse game, but it seems that in
| this case the cat has the upper hand unless the mice are willing
| to put in a lot of effort to fake "realness", which might make
| the attack not feasible.
| noja wrote:
| Other trackers don't tell you they are tracking you though, what
| about those.
| giaour wrote:
| You can purchase pre-made GPS+cellular trackers, but it seems
| like it would be much easier to tie a detected tracker of this
| type back to a specific person. A tracker with cellular
| capability will have a SIM and some kind of subpoena-able
| service record, while one of the pirate AirTags described in
| the post is basically just an antenna and a battery.
| gruez wrote:
| >A tracker with cellular capability will have a SIM and some
| kind of subpoena-able service record
|
| Prepaid sim. US (and many other countries) does not have
| mandatory registration for SIM cards. See:
| https://www.gsma.com/publicpolicy/wp-
| content/uploads/2013/11...
| CharlesW wrote:
| I understand your point and it's completely valid, but I think
| the difference is that Apple is mainstreaming personal tracking
| in a way that other companies could only dream of, and in doing
| so is also mainstreaming awareness of how technologies like
| this might be abused. Because of this, Apple has painted a
| giant target on their back even though they're arguably
| handling privacy issues better than anyone else in this space.
|
| On the bright side, the end result of this is that AirTags will
| be safer for everyone, and competitors with tracking products
| not designed for secret spying will be forced to step up their
| privacy games.
| Scoundreller wrote:
| I think what Apple is really mainstreaming is the mass-use of
| their devices as a low-bitrate, irregular sneakernet. This
| should replace lots of IoT stuff.
|
| It's kinda dumb that our cabin has a 'smart' meter on a
| meshnetwork, but there's no way for me to remotely turn-on a
| heater 4h before I arrive without a $10+/month subscription.
|
| Maybe one day I can offline order a book and it just shows up
| because the on-line devices nearby (or are likely to show up
| nearby) can drop it off wirelessly.
|
| A traffic light won't be needing its own internet
| subscription or private physical network to beam up a picture
| of the intersection or status.
| tiarafawn wrote:
| If they need to rely on their own GPS and internet uplink
| rather than just bluetooth, they would be much more expensive
| Crosseye_Jack wrote:
| But not that much more even in small quantities.
|
| If you exclude the time to dev the software, design the PCB,
| and assemble the tracker then you can knock up a NB-IOT
| module + GPS module + Microcontroller & supporting parts (to
| tie the two modules together) for about $30-$35 in small
| quantities, keep your data usage low and you can throw in a
| pre-paid IOT-NB sim for about $15.
|
| EDIT: Its not gonna be as small as a AirTag, But if you
| wanted to tag something like a car you could get it into a
| small enough box to easily hide under it.
|
| EDIT The 2nd: Throw in a movement detector, keep everything
| asleep unless its moved, before firing up the GPS/modem write
| your code so not to power up the GPS/Modem up unless a
| certain time as passed since the last known location fix,
| when you do fire up the GPS compare the location to the last
| known location so you only need to phone home if the distance
| as changed by a certain amount and you could get a decent
| battery life.
|
| (not that I've thought about this...)
| kelnos wrote:
| Sure, but I hope it's easy to understand that it's orders
| of magnitude easier to just buy an AirTag (including
| "silenced" ones from eBay or wherever) and drop it in
| someones purse or coat pocket, or attach it to their car.
|
| Pretty much no regular stalker is going to design and build
| their own GPS+cellular tracker. Even if someone were to do
| that and then sell them online, the barrier to finding and
| buying those are still probably going to be higher than
| getting an AirTag. And the battery won't last anywhere near
| as long as well. And also consider that the software
| running on it, as well as the cloud service that lets you
| check the location, doesn't just magically appear either.
| Someone has to build and host that as well. Even a lower-
| tech solution that just emails a location report every few
| minutes still requires work to build.
|
| Yes, it's absolutely possible, and not super difficult, to
| track someone using a GPS+cellular device. But it feels
| really disingenuous to claim that tracking people was just
| as easy to do for your average stalker pre-AirTags.
| Shank wrote:
| > Even if someone were to do that and then sell them
| online, the barrier to finding and buying those are still
| probably going to be higher than getting an AirTag.
|
| They're on Amazon, for $50-150 [0]. The first result for
| "GPS tracker" I found has 10 days of battery life, which
| is a fair negative, but you can do a lot to someone if
| you follow them for 10 days.
|
| [0]: https://smile.amazon.com/LandAirSea-Waterproof-
| Magnetic-Pers...
| Crosseye_Jack wrote:
| > Sure, but I hope it's easy to understand that it's
| orders of magnitude easier to just buy an AirTag
|
| Oh yeah, Was just pointing out that the pricing of such
| things is dropping like flies.
|
| > Pretty much no regular stalker is going to design and
| build their own GPS+cellular tracker.
|
| Agreed, again was just pointing out the pricing of parts.
|
| > Yes, it's absolutely possible, and not super difficult,
| to track someone using a GPS+cellular device. But it
| feels really disingenuous to claim that tracking people
| was just as easy to do for your average stalker pre-
| AirTags.
|
| I don't think I did claim that. I wasn't trying to claim
| that. Maybe thats just the limitation of using text.
| eyeeyesawayyy wrote:
| Airtags are unique in that they use every iphone in the world
| as part of the network which tracks them and reports their
| locations.
|
| So, unlike GPS trackers or competing Bluetooth trackers,
| AirTags can do two things:
|
| * Last for a very long time on a small battery, no recharging
| required.
|
| * Reliably report location anywhere in the world that an
| ordinary person is likely to be.
| moffkalast wrote:
| I've always been sceptical of this working well enough to be
| usable. Does the average iphone owner leave their bluetooth,
| gps, and mobile network on 24/7? Sounds like an awful waste
| of power. What about in the rest of the world outside the US,
| Canada and Australia where Android is the market leader and
| iphones are rather rare?
|
| What happens inside buildings when the phone doesn't have a
| fix? Does it store the tag's key and sends it as soon as it
| gets gps data?
| stefan_ wrote:
| _AirTags exist and they work perfectly fine in all these
| conditions._ We would need to turn the clock back a few
| years for this comment to make sense, in an universe where
| AirTags didn 't yet exist.
|
| Your phone takes it's last position from GPS, refines it
| with RSSI of nearby WiFi networks and then you add in the
| broadband stuff they have to localize the tag further.
| jaywalk wrote:
| > Does the average iphone owner leave their bluetooth, gps,
| and mobile network on 24/7?
|
| Absolutely, yes.
|
| > What happens inside buildings when the phone doesn't have
| a fix?
|
| Have you never used your phone inside a building before? It
| still has a very good idea of your location, it doesn't
| rely solely on GPS signals.
| gorbypark wrote:
| I've just moved to Spain, from Canada, and was wondering
| the same. A quick google search shows iPhone has less than
| 12% market share here. I did a little test in Valencia
| about a week ago by just walking around with my AirTag on
| my keys in "lost mode" and they got picked up very
| frequently. I was pretty happy with the results, I don't
| think approximately only one in ten people on the streets
| having an iPhone would have much effect on the usefulness.
| [deleted]
| planb wrote:
| > Does the average iphone owner leave their bluetooth, gps,
| and mobile network on 24/7?
|
| Yes of course. That's how these phones are supposed to
| work. I don't have time to micromanage my devices. As long
| as I get a day of usage, why would I bother?
| jimjambw wrote:
| Why wouldn't you leave those things on? Apple designed iOS
| for those things to be handled and turned on when needed.
| BLE is quite low in power, GPS is only on when location
| services need it. These are concerns I would have had about
| 10-15 years ago, but I don't now.
| jedberg wrote:
| AirTag is a difficult problem to solve -- the usefulness of the
| product for "good" uses is directly related to how easy the "bad"
| uses are. Eventually it will be limited to the point where you
| can only track items that your phone can detect, and that won't
| be super helpful.
|
| Sure you can use it to find your lost keys in your own house and
| maybe have it warn you when you've been separated from your
| AirTag, but that's about it.
| [deleted]
___________________________________________________________________
(page generated 2022-02-21 23:00 UTC)